Privacy & GDPR
Your Data & Privacy Rights
Last updated: 10 June 2026
What We Store
When you place an order or create an account, we store the information needed to fulfil your order and provide customer support:
- Account: name, email address, encrypted password, optional two-factor authentication settings
- Addresses: delivery addresses you save for faster checkout
- Orders: items ordered, quantities, prices, delivery address, payment reference, shipping tracking details, and order status history
- Reviews: product reviews you submit (published only after approval)
- Preferences: your marketing opt-out choices, such as cart reminder emails
- Site activity: anonymous search terms and email delivery records (for diagnosing delivery issues)
We never store full card numbers. Payments are processed by Stripe or PayPal β both are PCI-compliant payment providers.
How Long We Keep It
| Data | Kept for | Reason |
|---|---|---|
| Orders & order items | Indefinitely | UK tax law requires accounting records for at least 6 years. When an account is deleted, orders are unlinked from your personal details but the financial record is retained. |
| Account & personal details | Until you delete your account | Needed to provide your account services |
| Saved addresses | Until you delete your account | Convenience at checkout |
| Product reviews | Until you delete your account | Published reviews are removed when your account is erased |
| Site search activity | 12 months | Helps us understand which products are being searched for |
| Email delivery records | 12 months | Used to diagnose delivery failures |
| Expired password-reset & verification tokens | 30 days after expiry | Security audit trail |
| Saved cart data | 30 days of inactivity | Abandoned cart recovery; cleared automatically when idle |
Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access β you can download a copy of everything we hold about you at any time
- Right to erasure β you can permanently delete your account and all associated personal data. Orders are unlinked (not deleted) to meet legal accounting obligations
- Right to object β you can opt out of non-essential communications such as cart reminder emails at any time
- Right to rectification β if any information is incorrect, contact us and we will correct it
- Right to portability β your data export is in machine-readable JSON format
If you believe we have mishandled your data you can also lodge a complaint with the UK Information Commissioner's Office (ICO).
Exercising Your Rights
Most actions are self-service from your account page β no need to contact us:
- Download your data β sign in and go to My Account β Your Data β Download My Data
- Delete your account β sign in and go to My Account β Your Data β Delete Account. This is immediate and permanent
- Opt out of cart reminders β sign in and go to My Account β Email Preferences
For anything else β corrections, questions, or complaints β email us at [email protected].
How We Protect Your Data
- HTTPS everywhere β all traffic between your browser and the shop is encrypted
- Passwords never stored in plain text β passwords are hashed with bcrypt before storage. Even if our database were exposed, your password would not be readable
- Two-factor authentication β optional TOTP authenticator-app support for account holders, strongly recommended
- No card storage β we never store your full card number. All card data is handled by Stripe
- Admin audit log β all sensitive admin actions (logins, order changes, customer deletions, settings changes) are logged and retained for 2 years
- Access controls β admin areas are protected by separate authentication. Customer data is only accessible to authenticated account holders and admin staff
Third Parties
- Stripe β card and wallet payments. Receives your card details and billing address to process payment. Stripe Privacy Policy
- PayPal β PayPal payments. PayPal Privacy Policy
- Google Analytics β only loaded if you accept analytics cookies. Receives anonymised page-view data. Google Privacy Policy
- Email provider β we use SMTP to send transactional emails (order confirmations, shipping updates, password resets). Your email address and name are shared with our mail provider solely for delivery
- Royal Mail / couriers β your name and delivery address are passed to the carrier to fulfil your order
We do not sell or share your personal data with any other third parties for marketing or advertising purposes.
Contact
For any privacy or data-related questions, email us at [email protected].
Eplop LTD Β· 37 Carnoustie Close, Ashington, Northumberland, NE63 9GB Β· Company No. 12168148